Login Sign Up

CVE-2023-32955

8.1 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in Synology Router Manager's DHCP client functionality. Attackers with man-in-the-middle position can execute arbitrary commands on affected routers. All Synology routers running vulnerable SRM versions are affected.

💻 Affected Systems

Products:
  • Synology Router Manager (SRM)
Versions: SRM versions before 1.2.5-8227-6 and before 1.3.1-9346-3
Operating Systems: Synology Router OS
Default Config Vulnerable: ⚠️ Yes
Notes: All Synology routers using affected SRM versions are vulnerable by default when DHCP client functionality is enabled.

📦 What is this software?

Router Manager by Synology

View all CVEs affecting Router Manager →

Router Manager by Synology

View all CVEs affecting Router Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, install persistent backdoors, pivot to internal network devices, and potentially brick the router.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, credential theft, and installation of malware on connected devices.

🟢

If Mitigated

Limited impact if network segmentation prevents lateral movement and external access to router management is restricted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires man-in-the-middle position on network, but no authentication needed. Specific exploit vectors are unspecified in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SRM 1.2.5-8227-6 or SRM 1.3.1-9346-3

Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_22_25

Restart Required: Yes

Instructions:

1. Log into Synology Router Manager web interface. 2. Navigate to Control Panel > Update & Restore. 3. Check for updates. 4. Install SRM 1.2.5-8227-6 or SRM 1.3.1-9346-3. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable DHCP client functionality

all

If router is not acting as DHCP client (e.g., using static IP or different DHCP server), disable DHCP client to remove attack vector.

Network segmentation

all

Isolate router management interface on separate VLAN with strict access controls.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate router from untrusted networks
  • Deploy network monitoring for unusual DHCP traffic patterns and command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check SRM version in Control Panel > Info Center > DSM/SRM Version. If version is earlier than 1.2.5-8227-6 (for 1.2.x) or earlier than 1.3.1-9346-3 (for 1.3.x), system is vulnerable.

Check Version:

ssh admin@router 'cat /etc.defaults/VERSION' or check web interface Control Panel > Info Center

Verify Fix Applied:

Verify SRM version shows 1.2.5-8227-6 or higher (for 1.2.x) OR 1.3.1-9346-3 or higher (for 1.3.x) after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DHCP client activity
  • Unexpected command execution in system logs
  • Failed authentication attempts to router services

Network Indicators:

  • Abnormal DHCP traffic patterns
  • Unexpected outbound connections from router
  • DNS queries to suspicious domains from router

SIEM Query:

source="synology-router" AND (event_type="command_execution" OR dhcp_anomaly=true)

📊 Metadata

CVE ID: CVE-2023-32955
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON